stackoom
  简体   繁体   中英

Stop user's executing JavaScript from console

 原文  2013-05-19 18:42:31       javascript/ html5/ node.js/ socket.io

Question

I've been mucking around creating a little multiplayer game using HTML5 technologies. I used Node.js and Socket.IO to manage server-side business.

My problem lies in users being able to enter in their own JavaScript through the Chrome console (and various other consoles im sure). For example, a user might enter this into the console: 

socket.emit("new player", {user: username, x: localPlayer.getX(), y: localPlayer.getY()});

This would add a new player to the game. What is the best way I should go about stopping this? Is there a way I can catch these entries and simple deny them (followed by slapping the user around the face)? It would be also good if I could stop them editing things like the GUI by changing variables, eg: 

gameStatus = "trolled lol troll client-side editing lol";

Thanks, Joel

3 answers

solution1
 12 ACCPTED  2013-05-19 18:45:40

You cannot do that.

You can never trust anything that comes from a client.
Even if you could somehow affect the console from your page, an attacker could write his own web browser (read: fork Chromium) and bypass your restrictions.
Or the attacker could simply handcraft HTTP requests without any browser at all.

Instead, you need to validate everything on the server.
Whenever any client does something, the server needs to check whether that client is actually allowed to do that.

solution2
 0  2013-05-19 19:07:51

As noted by SLaks, there's no way to prevent someone from hacking and it's even more true for a javascript/html client as it is easier. There are ways to discourage or make it harder though as i said in my comment. I am posting more suggestions

  1. Obfuscate your javascript code
  2. Use an encryption method and encrypt all your requests to your server before sending them using a key (make it hard to find the key)
  3. decrypt your request on server side using same encryption method and key as in the javascript client.

solution3
 0  2013-05-20 10:43:08

What we mean about not trusting what comes from client side is doing exactly what you do when you create a form. You usually check post method, session, a unique token unrelated to the meaningful data you are sending - usually a hidden text input created on the server side and checked when form is submited. search validating and sanitizing form. On top of this you should encript the data for sending so it won't be possible to rebuild the structure using the network tab on chrome or firebug or even a proper traffic analyser.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Stop javascript from executing How to prevent user from executing javascript code from console? DataTable causes javascript to stop executing - no errors in console Stop links from executing with JavaScript stop inline javascript from executing How to stop further JavaScript events from executing Javascript - Stop all functions from executing Javascript - Stop function from executing with function How to stop javascript from executing after clicking stop button? Stop executing JavaScript
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM